?
Solved

Help with Security

Posted on 2001-07-11
13
Medium Priority
?
141 Views
Last Modified: 2011-09-20
Can someone point me to some very good resources on designing win2k Security.  I need to limit access to resources over Terminal server connections.  Just looking for some step by step type examples on setting this up. Thanks
0
Comment
Question by:belink
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 12

Expert Comment

by:gidds99
ID: 6274963
Here is a link to Microsofts guide to deploying TS

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/deploy/part4/chapt-16.asp

I will see what else I can find.

Gordon.
0
 
LVL 12

Expert Comment

by:gidds99
ID: 6274991
Also here is Microsofts document on W2K Network Security

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/deploy/part4/chapt-16.asp

Are these documents the type of thing you are looking for?

Gordon.
0
 
LVL 12

Expert Comment

by:gidds99
ID: 6275003
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 12

Expert Comment

by:gidds99
ID: 6275017
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6275387
Port 3389 in the terminal server port. Basically the best advice is to close as many ports & protocols as possible without totally disabling the required internet services.
-I use tcp/ip filtering in the advanced option of local area connection.
-http://www.softforces.com/ntbook.htm
http://www.sans.org/infosecFAQ/win2000/hardening.htm
0
 
LVL 10

Accepted Solution

by:
blohrer earned 200 total points
ID: 6277942
What specific things are you looking to secure?  Desktop settings?  What options are available to you users?  

Like taking the shudown and restart options away from the users?

Or just how to limit the ports for users to access?  As said above the only port needed open for Terminal Services is 3389, unless you are going to run other services.

I have run W2k Terminal Servers over the internet for 100+ users.  If you are using Active Directory, one of the things I did was setup a Terminal Server OU (organizational unit).  I then modified the group policy on that OU to take things like on the start menu like, RUN, SETTINGS, Shutdown and restart away.  Made like alot easier!!!
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6278189
Use ICA instead of RDP and they can't do much of anything.
0
 

Author Comment

by:belink
ID: 6280853
Wow, Thanks for all the good input to everyone (Im obviously going to have to divy out points to more than one of you, 50 Each of course)

blohrer: You have hit my situation on the head.  I already have the router configured for port 3389 to route to my server.  I love your Idea about the OU.  Thats Probably what I will do.  I need to limit the Desktop settings and take things out of the start menu, Make it so they cannot see drives in My Computer, Things of that nature.  i knew I could use Group Policys to do this, But Im used to working with very small companies and the OU solution did not occur to me.  That seems like it would work.

mikecr: Could you give more detail (In other words, Im not sure what your talking about) I know that TS uses RDP but Im not familiar with ICA.

housenet: Thanks for the articles.  They have helped me learn more about 2000 Security but may be a little more than I need for this application. One Question, When you use the templates (As stated in the sans.org article)  If you apply a template to the machine (a win2k professional box in this case) does it affect ALL users, If not, How do you assign the template to just certain users.  Thanks for your input.

0
 
LVL 10

Expert Comment

by:blohrer
ID: 6280902
No problem belink... I had the same situation.  Just becareful of one thing, if these users are both Term Server users, and local users with Windows2000 workstations, the group policy will be applied to both systems.  I didn't have this problem, but I would suggest if you do, two different logins for this type of user.  One for Terminal Server, and one for their local workstation.  
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6280949
-To view the distinctions between what are user policy settings & computer policy settings, I suggest this.
-Create OU's.
-The properties of an OU has a group policy tab. When you edit the group policy for an OU, the options are seperated by User & computer settings.
-If you Move a user into the OU & this user has read & apply GPO permissions for the policy..the user settings will apply to the user.
-The same applies for computers moved into OU's.


-You can even look at a PC's local policy by typing MMC in run.. Add the snap in for Group policy & choose the option for local policy.
-The basic point is.. When looking at a group policy object, user & computer settings are very obvious because of the way it is organized.
0
 
LVL 10

Expert Comment

by:blohrer
ID: 6281471
Housenet... True but we have users here that will have a policy applied to them.  They MAY login to both a Terminal Server and (i am assuming) a regular Windows2000 PC.  The initial question how to secure a terminal server, taking away certain options.  Most of these options are on the user level.  So if a user needs to be secured on a terminal server (e.g. take away the run start menu item so they can't have access to the local drives via a command prompt) the user policy would also extend to their W2K network machine.

0
 
LVL 12

Expert Comment

by:Housenet
ID: 6281510
blohrer sounds good to me.
0
 

Author Comment

by:belink
ID: 6282757
In Respone, blohrer, The users will only be logging LOCALLY into a win2k Pro box that is not a part of a domain, (just a workstation No server).  They will then initiate a Terminal Server session to a remote TS, So I assume I would only need one logon on the Server side for this. I am going to experiment with this today and see what I can come up with.  Thanks again for the input.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month9 days, 2 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question